QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks
28.9.2018 securityaffairs
Android

The QRecorder app in the Play Store impersonating a phone call and voice recording utility embedded a banking malware used to target European banks.
Security experts from ESET have discovered a malicious app in the official Google Play Store that impersonates a phone call and voice recording utility, it was hiding a banking malware used to target customers of European banks.

The malware, tracked as Razdel, is a variant of BankBot mobile banking Trojan.

According to the Czech Television, the malicious code targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna.

Czech Police shared the identikit and pictures from ATM security camera of a money mule withdrawing money from one of the Prague ATM from affected victims accounts.

The malware was hidden in the QRecorder app and according to the ESET security researcher Lukas Stefanko, the banking Trojan was downloaded and installed by over 10,000.

QRecorder app malware

The malicious QRecorder app is able to intercept SMS two-factor authentication (2FA) messages and ask for permission to display overlays on top of legitimate bank apps to control what the user sees on his device.

To avoid raising suspicions, the malicious application correctly implements the audio recording features.

Stefanko discovered that the threat actor behind the operator sends commands to the app within 24 hours from installation, for example, it scans the device for specific banking apps.

Attacker leverages Google Firebase messages to communicate with compromised devices. If one of the targeted apps is installed on the device, before downloading payload it would request the user to activate Accessibility service and using this permission it would automatically download and execute the malicious payload.

Once the malicious payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched by the user, the malware displays overlay to steal credentials.

“Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload.” wrote Stefanko.

“Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”

According to official statement of Czech police, QRecorder infected five victims in Czech Republic stealing a total of over 78,000 Euros from their accounts.

The analysis of the code revealed that the QRecorder malware is able to monitor a large number of banks, including Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.

One of the most interesting aspects of this malware is that the threat actor created different payloads for each targeted bank.

QRecorder app was removed from the official Android store, below a video that shows how the app operates.